On 2025-04-12 Andrew Bower <and...@bower.uk> wrote: > Package: gnupg > Version: 2.4.7-14 > Severity: normal
> I upgraded gnupg from 2.2.46-6 to 2.4.7-13 and all operations with a hardware > security module (Yubikey 5) now fail. > It may be that there is a user configuration or dependency change that needs > satisfying but I can't find any documentation to that effect: > # gpg --card-status > gpg: selecting card failed: No such device > gpg: OpenPGP card not available: No such device > Other tools such as yubioath-desktop and ykman can interact with the device > fine: > $ ykman list > YubiKey 5 NFC (5.2.7) [OTP+FIDO+CCID] Serial: > Other packages: > ii pcscd 2.3.3-1 amd64 Middleware to access a smart > card using PC/SC (daemon side) > ii scdaemon 2.4.7-14 amd64 GNU privacy guard - smart card > support > Running processes: > root 2143 0.0 0.0 487728 8232 ? Sl 10:24 0:00 > /usr/sbin/pcscd > andy 4308 0.0 0.0 164448 4320 ? SLl 10:25 0:00 scdaemon > --multi-server > root 4334 0.0 0.0 164448 4256 ? SLl 10:25 0:00 scdaemon > --multi-server > Although other aspects of gnupg may operate fine, for me this is a > serious issue and I will need to downgrade to the previous upstream > release in order to continue operating as a Debian contributor because > my private key resides on my HSM! > I appreciate that there has been a lot of work behind getting this new > upstream release into Debian so thank you and I hope this bug report > helps. Let me know if you need anything else from me. Hello Andrew, afaiui with gnupg 2.4 you have to either use gnupg's built-in ccid driver *instead* of pcdsd (i.e. stop pcscd from grabbing the device) or configure gnupg to *not* use the built-in ccid driver: scdaemon.1: --disable-ccid The integrated CCID driver for CCID compliant devices can be available when libusb was detected at build time, and it is used to access the smartcard reader. If access via PC/SC driver is needed, please configure this option to disable CCID driver sup‐ port (if any). In GnuPG 2.2, there was a fallback mechanism from CCID driver to PC/SC driver. The fallback mechanism worked, be‐ cause scdaemon in GnuPG 2.2 only supported a single token/reader. To support of multiple tokens/readers at the same time, fallback mechanism was removed. (This would be disable-ccid in ~/.gnupg/scdaemon.conf.) Over at Ubuntu LP https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/2061708 Julian Andres Klode recommends to choose the built-in ccid driver. Yubikey otoh suggests pcdsd https://support.yubico.com/hc/en-us/articles/4819584884124-Resolving-GPG-s-CCID-conflicts Archlinux has a little bit of info here: https://wiki.archlinux.org/title/GnuPG#Smartcards cu Andreas https://dev.gnupg.org/T6871